From 16a35e7adade3f38db7a01f19197698f4c2e6d1c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 22 Sep 2023 16:30:21 +0100 Subject: [PATCH 01/25] fixed notify error on black #226 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 4acccb0e..e1c9236d 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -836,7 +836,7 @@ regexp: '(^CRYPTO_POLICY=.*)-o{{ rhel8stig_current_macs.stdout }}(.*$)' line: '\g<1>-o{{ rhel8stig_ssh_macs }}\g<2>' backrefs: true - notify: change_requires_reboot + notify: change_requires_reboot when: - rhel_08_010290 tags: @@ -861,7 +861,7 @@ regexp: '(^CRYPTO_POLICY=.*)-o{{ rhel8stig_current_ciphers.stdout }}(.*$)' line: '\g<1>-o{{ rhel8stig_ssh_ciphers }}\g<2>' backrefs: true - notify: change_requires_reboot + notify: change_requires_reboot when: - rhel_08_010291 tags: @@ -7407,8 +7407,7 @@ when: - rhel8stig_current_kex is defined - rhel8stig_current_kex.stdout | length > 0 - - notify: change_requires_reboot + notify: change_requires_reboot when: - rhel_08_040342 - rhel8stig_ssh_required From 886cab37e9c2787f69b415e00329213a252a365b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Sep 2023 16:43:11 +0100 Subject: [PATCH 02/25] updated Signed-off-by: Mark Bolwell --- README.md | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 7593de99..7436dc28 100644 --- a/README.md +++ b/README.md @@ -15,19 +15,21 @@ This role is based on RHEL 8 DISA STIG: [Version 1, Rel 11 released on July 26, ![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/56380?label=Quality&&logo=ansible) ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) -![Devel Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/rhel8-stig/linux_benchmark_testing.yml?label=Devel%20Build%20Status) -![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/rhel8-stig/devel?color=dark%20green&label=Devel%20Branch%20Commits) - ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) -![Main Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/rhel8-stig/linux_benchmark_testing.yml?label=Build%20Status) -![Main Release Date](https://img.shields.io/github/release-date/ansible-lockdown/rhel8-stig?label=Release%20Date) -![Release Tag](https://img.shields.io/github/v/tag/ansible-lockdown/rhel8-stig?label=Release%20Tag&&color=success) +![Release Tag](https://img.shields.io/github/v/release/ansible-lockdown/RHEL8-STIG) +![Release Date](https://img.shields.io/github/release-date/ansible-lockdown/RHEL8-STIG) + +[![Main Pipeline Status](https://github.com/ansible-lockdown/RHEL8-STIG/actions/workflows/main_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL8-STIG/actions/workflows/main_pipeline_validation.yml) + +[![Devel Pipeline Status](https://github.com/ansible-lockdown/RHEL8-STIG/actions/workflows/devel_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL8-STIG/actions/workflows/devel_pipeline_validation.yml) +![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL8-STIG/devel?color=dark%20green&label=Devel%20Branch%20Commits) + +![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/RHEL8-STIG?label=Open%20Issues) +![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/RHEL8-STIG?label=Closed%20Issues&&color=success) +![Pull Requests](https://img.shields.io/github/issues-pr/ansible-lockdown/RHEL8-STIG?label=Pull%20Requests) -![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/rhel8-stig?label=Open%20Issues) -![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/rhel8-stig?label=Closed%20Issues&&color=success) -![Pull Requests](https://img.shields.io/github/issues-pr/ansible-lockdown/rhel8-stig?label=Pull%20Requests) +![License](https://img.shields.io/github/license/ansible-lockdown/RHEL8-STIG?label=License) -![License](https://img.shields.io/github/license/ansible-lockdown/rhel8-stig?label=License) --- From c6473fe8ff8020254408baf5589b48c6cf0ac3c3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Sep 2023 16:43:42 +0100 Subject: [PATCH 03/25] updated config Signed-off-by: Mark Bolwell --- .ansible-lint | 2 -- .yamllint | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index 057c65e0..b717f678 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -6,12 +6,10 @@ skip_list: - 'schema' - 'no-changed-when' - 'var-spacing' - - 'fqcn-builtins' - 'experimental' - 'name[play]' - 'name[casing]' - 'name[template]' - - 'fqcn[action]' - 'key-order[task]' - '204' - '305' diff --git a/.yamllint b/.yamllint index ec469292..65faae6c 100644 --- a/.yamllint +++ b/.yamllint @@ -30,4 +30,4 @@ rules: trailing-spaces: enable truthy: allowed-values: ['true', 'false'] - check-keys: false + check-keys: true From f50b1a31ab950bdde31f70351242cac311ba96f2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Sep 2023 16:48:30 +0100 Subject: [PATCH 04/25] updated exclusions Signed-off-by: Mark Bolwell --- .config/.secrets.baseline | 80 +++------------------------------------ 1 file changed, 5 insertions(+), 75 deletions(-) diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline index 41368ff4..2ad77429 100644 --- a/.config/.secrets.baseline +++ b/.config/.secrets.baseline @@ -75,10 +75,6 @@ { "path": "detect_secrets.filters.allowlist.is_line_allowlisted" }, - { - "path": "detect_secrets.filters.common.is_baseline_file", - "filename": ".config/.secrets.baseline" - }, { "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", "min_level": 2 @@ -113,78 +109,12 @@ { "path": "detect_secrets.filters.regex.should_exclude_file", "pattern": [ - ".config/.gitleaks-report.json" + ".config/.gitleaks-report.json", + "tasks/parse_etc_passwd.yml", + "templates/pam_pkcs11.conf.j2" ] } ], - "results": { - "defaults/main.yml": [ - { - "type": "Secret Keyword", - "filename": "defaults/main.yml", - "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", - "is_verified": false, - "line_number": 600, - "is_secret": false - } - ], - "tasks/fix-cat2.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/fix-cat2.yml", - "hashed_secret": "8458c0f07cce6d8c92d030b23562f791e57e30d6", - "is_verified": false, - "line_number": 4277, - "is_secret": false - } - ], - "tasks/main.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/main.yml", - "hashed_secret": "8eab8633ccf31cc656649638e6d6b45bd7235ffe", - "is_verified": false, - "line_number": 66, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": "tasks/main.yml", - "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", - "is_verified": false, - "line_number": 101, - "is_secret": false - } - ], - "tasks/parse_etc_passwd.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/parse_etc_passwd.yml", - "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", - "is_verified": false, - "line_number": 18 - } - ], - "tasks/prelim.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/prelim.yml", - "hashed_secret": "43c1e0cadc7daa65d95fbf97f335a9896c8e58c6", - "is_verified": false, - "line_number": 124, - "is_secret": false - } - ], - "templates/pam_pkcs11.conf.j2": [ - { - "type": "Secret Keyword", - "filename": "templates/pam_pkcs11.conf.j2", - "hashed_secret": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", - "is_verified": false, - "line_number": 173, - "is_secret": false - } - ] - }, - "generated_at": "2023-09-15T08:39:31Z" + "results": {}, + "generated_at": "2023-09-25T15:48:01Z" } From d2f1cad079b62334440453fae9ab0632a8b6f9a3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Sep 2023 16:48:40 +0100 Subject: [PATCH 05/25] updated with allowed Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- tasks/fix-cat2.yml | 2 +- tasks/main.yml | 6 +++--- tasks/prelim.yml | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 8b68badf..e60a576d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -597,7 +597,7 @@ rhel8stig_tftp_required: false # RHEL-08-010140 and RHEL-08-020280 # Password protect the boot loader -rhel8stig_bootloader_password_hash: grub.pbkdf2.sha512.changethispassword +rhel8stig_bootloader_password_hash: grub.pbkdf2.sha512.changethispassword # pragma: allowlist secret rhel8stig_boot_superuser: bootloader_admin # AIDE settings diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index e1c9236d..a651125f 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -4274,7 +4274,7 @@ - name: "MEDIUM | RHEL-08-020320 | AUDIT | RHEL 8 must not have unnecessary accounts. | Re-parse passwd file" ansible.builtin.include_tasks: parse_etc_passwd.yml vars: - rhel8stig_passwd_tasks: "RHEL-08-020320" + rhel8stig_passwd_tasks: "RHEL-08-020320" # pragma: allowlist secret when: rhel_08_020320_accounts_removed is changed # noqa no-handler when: - rhel_08_020320 diff --git a/tasks/main.yml b/tasks/main.yml index 36cb7639..c516e703 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -63,7 +63,7 @@ fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }}" vars: - sudo_password_rule: RHEL-08-010380 + sudo_password_rule: RHEL-08-010380 # pragma: allowlist secret when: - rhel_08_010380 - ansible_env.SUDO_USER is defined @@ -98,8 +98,8 @@ - name: Check rhel8stig_bootloader_password_hash variable has been changed ansible.builtin.assert: - that: rhel8stig_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' - msg: "This role will not be able to run single user password commands as rhel8stig_bootloader_password_hash variable has not been set" + that: rhel8stig_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret + msg: "This role will not be able to run single user password commands as rhel8stig_bootloader_password_hash variable has not been set" # pragma: allowlist secret when: - not system_is_ec2 diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 20435f73..2a723ee6 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -121,7 +121,7 @@ - name: "PRELIM | RHEL-08-010740 | RHEL-08-010750 | RHEL-08-020320 | Parse /etc/passwd" ansible.builtin.import_tasks: parse_etc_passwd.yml vars: - rhel8stig_passwd_tasks: "RHEL-08-010740 RHEL-08-010750 RHEL-08-020320" + rhel8stig_passwd_tasks: "RHEL-08-010740 RHEL-08-010750 RHEL-08-020320" # pragma: allowlist secret when: - rhel_08_010141 or rhel_08_010149 or From bdcbdb1d12e19b9bbb863fd78f19a3e514b4c3de Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Sep 2023 16:49:37 +0100 Subject: [PATCH 06/25] lint updates Signed-off-by: Mark Bolwell --- .gitattributes | 2 +- templates/01-banner-message.j2 | 2 +- templates/aide.conf.j2 | 2 +- templates/ansible_vars_goss.yml.j2 | 2 +- templates/pam_pkcs11.conf.j2 | 12 ++++++------ templates/resolv.conf.j2 | 2 +- test_plugins/rhel8_stig_ansible_backport.py | 2 +- test_plugins/rhel8_stig_jinja_compat.py | 2 +- 8 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.gitattributes b/.gitattributes index 9a24540b..b2daffb9 100644 --- a/.gitattributes +++ b/.gitattributes @@ -3,4 +3,4 @@ *.yml linguist-detectable=true *.ps1 linguist-detectable=true *.j2 linguist-detectable=true -*.md linguist-documentation \ No newline at end of file +*.md linguist-documentation diff --git a/templates/01-banner-message.j2 b/templates/01-banner-message.j2 index 23974c01..1a1a581b 100644 --- a/templates/01-banner-message.j2 +++ b/templates/01-banner-message.j2 @@ -1,4 +1,4 @@ -[org/gnome/login-screen] +[org/gnome/login-screen] banner-message-enable=true banner-message-text='{{ rhel8stig_logon_banner }}' diff --git a/templates/aide.conf.j2 b/templates/aide.conf.j2 index 92ebb20a..fc93abe9 100644 --- a/templates/aide.conf.j2 +++ b/templates/aide.conf.j2 @@ -319,4 +319,4 @@ DATAONLY = FIPSR # Ditto /var/log/sa/ same reason... -!/var/log/httpd/ \ No newline at end of file +!/var/log/httpd/ diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index e81f9658..69484221 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -14,7 +14,7 @@ rpm_gpg_key: {{ rpm_gpg_key }} rhel8stig_os_version_pre_8_2: {% if ansible_distribution_version >= '8.2' %}false{% else %}true{% endif %} -# Some tests may need to scan every filesystem or have an impact on a system +# Some tests may need to scan every filesystem or have an impact on a system # these may need be scheduled to minimise impact also ability to set a timeout if taking too long run_heavy_tests: {{ audit_run_heavy_tests }} timeout_ms: {{ audit_cmd_timeout }} diff --git a/templates/pam_pkcs11.conf.j2 b/templates/pam_pkcs11.conf.j2 index febf193e..32c441b5 100644 --- a/templates/pam_pkcs11.conf.j2 +++ b/templates/pam_pkcs11.conf.j2 @@ -9,7 +9,7 @@ pam_pkcs11 { nullok = true; # Enable debugging support. - debug = false; + debug = false; # If the smart card is inserted, only use it card_only = true; @@ -32,7 +32,7 @@ pam_pkcs11 { screen_savers = gnome-screensaver,xscreensaver,kscreensaver pkcs11_module {{ rhel08stig_smartcarddriver }} { - {% if rhel08stig_smartcarddriver == 'cackey' %}module = /usr/lib64/libcackey.so;{% elif rhel08stig_smartcarddriver == 'coolkey' %}module = libcoolkeypk11.so;{% endif %} + {% if rhel08stig_smartcarddriver == 'cackey' %}module = /usr/lib64/libcackey.so;{% elif rhel08stig_smartcarddriver == 'coolkey' %}module = libcoolkeypk11.so;{% endif %} module = /usr/lib64/libcackey.so; description = "{{ rhel08stig_smartcarddriver }}"; slot_num = 0; @@ -54,7 +54,7 @@ pam_pkcs11 { # you can mange the certs in this database with the certutil command in # the package nss-tools nss_dir = /etc/pki/nssdb; - + # Sets the Certificate Policy, (see above) cert_policy = ca, signature; } @@ -96,10 +96,10 @@ pam_pkcs11 { # When no absolute path or module info is provided, use this # value as module search path # TODO: - # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH + # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH mapper_search_path = /usr/$LIB/pam_pkcs11; - # + # # Generic certificate contents mapper mapper generic { debug = true; @@ -194,7 +194,7 @@ pam_pkcs11 { module = internal; # module = /usr/$LIB/pam_pkcs11/mail_mapper.so; # Declare mapfile or - # leave empty "" or "none" to use no map + # leave empty "" or "none" to use no map mapfile = file:///etc/pam_pkcs11/mail_mapping; # Some certs store email in uppercase. take care on this ignorecase = true; diff --git a/templates/resolv.conf.j2 b/templates/resolv.conf.j2 index 483018cd..8f214a7b 100644 --- a/templates/resolv.conf.j2 +++ b/templates/resolv.conf.j2 @@ -11,4 +11,4 @@ nameserver {{ server }} {% endif %} {% if rhel8_stig_resolv_options is iterable %} options {{ rhel8_stig_resolv_options | join(' ') }} -{% endif %} \ No newline at end of file +{% endif %} diff --git a/test_plugins/rhel8_stig_ansible_backport.py b/test_plugins/rhel8_stig_ansible_backport.py index 87b412b9..343b5bdc 100644 --- a/test_plugins/rhel8_stig_ansible_backport.py +++ b/test_plugins/rhel8_stig_ansible_backport.py @@ -19,4 +19,4 @@ def tests(self): return { # set theory 'contains': contains, - } \ No newline at end of file + } diff --git a/test_plugins/rhel8_stig_jinja_compat.py b/test_plugins/rhel8_stig_jinja_compat.py index 10bc9409..979aded8 100644 --- a/test_plugins/rhel8_stig_jinja_compat.py +++ b/test_plugins/rhel8_stig_jinja_compat.py @@ -38,4 +38,4 @@ def tests(self): 'lessthan': operator.lt, '<=': operator.le, 'le': operator.le, - } \ No newline at end of file + } From 386a0ca43f665701acd3bea06119cd65933f370d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Sep 2023 16:53:50 +0100 Subject: [PATCH 07/25] updated Signed-off-by: Mark Bolwell --- Changelog.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/Changelog.md b/Changelog.md index 73a22b0f..249241bd 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,8 +1,16 @@ # Changes to RHEL8STIG -## Stig V1R11 - 26th July 2023 +## 3.0.2 - Stig V1R11 - 26th July 2023 -### 3.0.1 +- workflow and pipeline updates +- links updates in documentation +- #222 thanks to @BJSmithIEEE +- #226 thanks to @jmalpede +- lint config updates +- lint updates +- precommit added and configured + +### 3.0.1 - Stig V1R11 - 26th July 2023 Issues: From 4b28f9905653133fe2ba781a814d687822de9616 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 6 Oct 2023 22:06:13 +0100 Subject: [PATCH 08/25] updated collections Signed-off-by: Mark Bolwell --- collections/requirements.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/collections/requirements.yml b/collections/requirements.yml index 23596ec0..8ebc6180 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -2,7 +2,13 @@ collections: - name: community.general + source: https://github.com/ansible-collections/community.general + type: git - name: community.crypto + source: https://github.com/ansible-collections/community.crypto + type: git - name: ansible.posix + source: https://github.com/ansible-collections/ansible.posix + type: git From d838cc61374719aa06f44341b6be7421c8f30ad6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Oct 2023 15:04:27 +0100 Subject: [PATCH 09/25] updated as host_key changes for fips Signed-off-by: Mark Bolwell --- ansible.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible.cfg b/ansible.cfg index dbe143da..8b4596ec 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -18,6 +18,7 @@ record_host_keys=False [ssh_connection] transfer_method=scp +ssh_args = -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no [accelerate] From 038c2b0cb01463550fc328c770adf07d234c6bd7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Oct 2023 15:05:53 +0100 Subject: [PATCH 10/25] updated versions Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 97c79434..84807cde 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,7 +7,7 @@ ci: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v3.2.0 + rev: v4.4.0 hooks: # Safety - id: detect-aws-credentials @@ -37,13 +37,13 @@ repos: exclude: .config/.gitleaks-report.json - repo: https://github.com/gitleaks/gitleaks - rev: v8.17.0 + rev: v8.18.0 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v6.17.2 + rev: v6.20.2 hooks: - id: ansible-lint name: Ansible-lint From 7d1574d51cca9d3de6d19dcef81f8b8e4db766c1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Oct 2023 15:07:46 +0100 Subject: [PATCH 11/25] Issue #229 sysctl approach thanks to @JacobBuskirk Signed-off-by: Mark Bolwell --- defaults/main.yml | 3 + handlers/main.yml | 10 -- tasks/fix-cat2.yml | 290 +++++++++++++++++++++++------------- tasks/fix-cat3.yml | 22 ++- templates/99-sysctl.conf.j2 | 153 ------------------- vars/main.yml | 2 +- 6 files changed, 202 insertions(+), 278 deletions(-) delete mode 100644 templates/99-sysctl.conf.j2 diff --git a/defaults/main.yml b/defaults/main.yml index e60a576d..4efc7f89 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -484,6 +484,9 @@ rhel8stig_smartcard: false # Configure your smartcard driver rhel8stig_smartcarddriver: cackey +# Set the file that sysctl should write to +rhel8stig_sysctl_file: /etc/sysctl.d/99_stig_sysctl.conf + # Whether or not system uses remote automounted home directories via autofs rhel8stig_autofs_remote_home_dirs: false diff --git a/handlers/main.yml b/handlers/main.yml index e7f323d7..3e6ff61d 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -5,16 +5,6 @@ when: - not system_is_container -- name: update sysctl - ansible.builtin.template: - src: 99-sysctl.conf.j2 - dest: /etc/sysctl.d/99-sysctl.conf - owner: root - group: root - mode: 0644 - notify: sysctl system - when: "'procps-ng' in ansible_facts.packages" - - name: sysctl system ansible.builtin.shell: sysctl --system when: "'procps-ng' in ansible_facts.packages" diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index a651125f..41eada91 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1202,10 +1202,13 @@ - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution." block: - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: kernel.kexec_load_disabled + value: 1 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" - name: "MEDIUM | RHEL-08-010372 | AUDIT | RHEL 8 must prevent the loading of a new kernel for later execution. | Find conflicting instances" ansible.builtin.shell: grep -rs "kernel.kexec_load_disabled = 0" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 @@ -1247,11 +1250,14 @@ loop: "{{ rhel_08_010373_conflicting_settings.stdout_lines }}" when: rhel_08_010373_conflicting_settings.stdout | length > 0 - - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Set sysctl" + ansible.posix.sysctl: + name: fs.protected_symlinks + value: 1 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_010373 tags: @@ -1280,10 +1286,13 @@ when: rhel_08_010374_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks." - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: fs.protected_hardlinks + value: 1 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_010374 tags: @@ -1566,10 +1575,13 @@ when: rhel_08_010430_conflicting_settings.stdout | length > 0 - name: " MEDIUM | RHEL-08-010430 | PATCH | RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: kernel.randomize_va_space + value: 2 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_010430 tags: @@ -2224,10 +2236,13 @@ when: rhel_08_010671_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern." - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: kernel.core_pattern + value: "|/bin/false" + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_010671 tags: @@ -3340,7 +3355,7 @@ if [ "$PS1" ]; then parent=$(ps -o ppid= -p $$) name=$(ps -o comm= -p $parent) - case "$name" in (sshd|login) tmux ;; esac + case "$name" in (sshd|login) exec tmux ;; esac fi create: true when: @@ -6615,10 +6630,13 @@ when: rhel_08_040209_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040209 | PATCH | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv4.conf.default.accept_redirects + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040209 tags: @@ -6647,10 +6665,13 @@ when: rhel_08_040210_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040210 | PATCH | RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv6.conf.default.accept_redirects + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040210 @@ -6681,10 +6702,13 @@ when: rhel_08_040220_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv4.conf.all.send_redirects + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040220 tags: @@ -6713,10 +6737,13 @@ when: rhel_08_040230_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv4.icmp_echo_ignore_broadcasts + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040230 tags: @@ -6745,10 +6772,13 @@ when: rhel_08_040239_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040239 | PATCH | RHEL 8 must not forward IPv4 source-routed packets. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv4.conf.all.accept_source_route + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040239 tags: @@ -6777,10 +6807,13 @@ when: rhel_08_040240_conflicting_settings.stdout |length > 0 - name: "MEDIUM | RHEL-08-040240 | PATCH | RHEL 8 must not forward IPv6 source-routed packets. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv6.conf.all.accept_source_route + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040240 - rhel8stig_ipv6_required @@ -6810,10 +6843,13 @@ when: rhel_08_040249_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040249 | PATCH | RHEL 8 must not forward IPv4 source-routed packets by default. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv4.conf.default.accept_source_route + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040249 tags: @@ -6842,10 +6878,13 @@ when: rhel_08_040250_conflicting_findings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040250 | PATCH | RHEL 8 must not forward IPv6 source-routed packets by default. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv6.conf.default.accept_source_route + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040250 - rhel8stig_ipv6_required @@ -6875,10 +6914,13 @@ when: rhel_08_040259_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040259 | PATCH | RHEL 8 must not enable IPv4 packet forwarding unless the system is a router. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv4.conf.all.forwarding + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040259 - not rhel8stig_system_is_router @@ -6908,10 +6950,13 @@ when: rhel_08_040260_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040260 | PATCH | RHEL 8 must not enable IPv6 packet forwarding unless the system is a router. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv6.conf.all.forwarding + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040260 - not rhel8stig_system_is_router @@ -6941,10 +6986,13 @@ when: rhel_08_040261_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv6.conf.all.accept_ra + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040261 - rhel8stig_ipv6_required @@ -6975,10 +7023,13 @@ when: rhel_08_040262_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv6.conf.default.accept_ra + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040262 - rhel8stig_ipv6_required @@ -7009,10 +7060,13 @@ when: rhel_08_040270_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv4.conf.default.send_redirects + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040270 tags: @@ -7041,10 +7095,13 @@ when: rhel_08_040279_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040279 | PATCH | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv4.conf.all.send_redirects + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040279 tags: @@ -7073,10 +7130,13 @@ when: rhel_08_040280_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040280 | PATCH | RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv6.conf.all.accept_redirects + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040280 - rhel8stig_ipv6_required @@ -7106,10 +7166,13 @@ when: rhel_08_040281_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040281 | PATCH | RHEL 8 must disable access to network bpf syscall from unprivileged processes. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: kernel.unprivileged_bpf_disabled + value: 1 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040281 tags: @@ -7138,10 +7201,13 @@ when: rhel_08_040282_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: kernel.yama.ptrace_scope + value: 1 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040282 tags: @@ -7170,10 +7236,13 @@ when: rhel_08_040283_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040283 | PATCH | RHEL 8 must restrict exposed kernel pointer addresses access. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: kernel.kptr_restrict + value: 1 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040283 tags: @@ -7202,10 +7271,13 @@ when: rhel_08_040284_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040284 | PATCH | RHEL 8 must disable the use of user namespaces. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: user.max_user_namespaces + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040284 tags: @@ -7234,10 +7306,13 @@ when: rhel_08_040285_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040285 | PATCH | RHEL 8 must use reverse path filtering on all IPv4 interfaces. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv4.conf.all.rp_filter + value: 1 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040285 tags: @@ -7266,10 +7341,13 @@ when: rhel_08_040286_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040286 | PATCH | RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.core.bpf_jit_harden + value: 2 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040286 tags: diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 39c12a56..66c817ca 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -49,10 +49,13 @@ when: rhel_08_010375_conflicting_settings.stdout | length > 0 - name: "LOW | RHEL-08-010375 | PATCH | RHEL 8 must restrict access to the kernel message buffer." - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: kernel.dmesg_restrict + value: 1 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_010375 tags: @@ -81,10 +84,13 @@ when: rhel_08_010376_conflicting_settings.stdout | length > 0 - name: "LOW | RHEL-08-010376 | PATCH | RHEL 8 must prevent kernel profiling by unprivileged users." - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: kernel.perf_event_paranoid + value: 2 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_010376 tags: diff --git a/templates/99-sysctl.conf.j2 b/templates/99-sysctl.conf.j2 deleted file mode 100644 index 3958c9f2..00000000 --- a/templates/99-sysctl.conf.j2 +++ /dev/null @@ -1,153 +0,0 @@ -# sysctl settings are defined through files in -# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/. -# -# Vendors settings live in /usr/lib/sysctl.d/. -# To override a whole file, create a new file with the same in -# /etc/sysctl.d/ and put new settings there. To override -# only specific settings, add a file with a lexically later -# name in /etc/sysctl.d/ and put new settings there. -# -# For more information, see sysctl.conf(5) and sysctl.d(5). - -# sysctl file Added via stig ansible remediation -# Each line is added if set - -{% if rhel_08_010372 %} -# RHEL-08-010372 -kernel.kexec_load_disabled = 1 -{% endif %} - -{% if rhel_08_010373 %} -# RHEL-08-010373 -fs.protected_symlinks = 1 -{% endif %} - -{% if rhel_08_010374 %} -# RHEL-08-010374 -fs.protected_hardlinks = 1 -{% endif %} - -{% if rhel_08_010375 %} -# RHEL-08-010375 -kernel.dmesg_restrict = 1 -{% endif %} - -{% if rhel_08_010376 %} -# RHEL-08-010376 -kernel.perf_event_paranoid = 2 -{% endif %} - -{% if rhel_08_010430 %} -# RHEL-08-010430 -kernel.randomize_va_space = 2 -{% endif %} - -{% if rhel_08_010671 %} -# RHEL-08-010671 -kernel.core_pattern = |/bin/false -{% endif %} - -{% if rhel_08_040209 %} -# RHEL-08-040209 -net.ipv4.conf.default.accept_redirects = 0 -{% endif %} - -{% if rhel_08_040210 and rhel8stig_ipv6_required %} -# RHEL-08-040210 -net.ipv6.conf.default.accept_redirects = 0 -{% endif %} - -{% if rhel_08_040220 %} -# RHEL-08-040220 -net.ipv4.conf.all.send_redirects = 0 -{% endif %} - -{% if rhel_08_040230 %} -# RHEL-08-040230 -net.ipv4.icmp_echo_ignore_broadcasts = 1 -{% endif %} - -{% if rhel_08_040239 %} -# RHEL-08-040239 -net.ipv4.conf.all.accept_source_route = 0 -{% endif %} - -{% if rhel_08_040240 %} -# RHEL-08-040240 -net.ipv6.conf.all.accept_source_route = 0 -{% endif %} - -{% if rhel_08_040249 %} -# RHEL-08-040249 -net.ipv4.conf.default.accept_source_route = 0 -{% endif %} - -{% if rhel_08_040250 and rhel8stig_ipv6_required %} -# RHEL-08-040250 -net.ipv6.conf.default.accept_source_route = 0 -{% endif %} - -{% if rhel_08_040259 and not rhel8stig_system_is_router %} -# RHEL-08-040259 -net.ipv4.conf.all.forwarding = 0 -{% endif %} - -{% if rhel_08_040260 and not rhel8stig_system_is_router %} -# RHEL-08-040260 -net.ipv6.conf.all.forwarding = 0 -{% endif %} - -{% if rhel_08_040261 and rhel8stig_ipv6_required and not rhel8stig_system_is_router %} -# RHEL-08-040261 -net.ipv6.conf.all.accept_ra = 0 -{% endif %} - -{% if rhel_08_040262 and rhel8stig_ipv6_required and not rhel8stig_system_is_router %} -# RHEL-08-040262 -net.ipv6.conf.default.accept_ra = 0 -{% endif %} - -{% if rhel_08_040270 %} -# RHEL-08-040270 -net.ipv4.conf.default.send_redirects = 0 -{% endif %} - -{% if rhel_08_040279 %} -# RHEL-08-040279 -net.ipv4.conf.all.accept_redirects = 0 -{% endif %} - -{% if rhel_08_040280 and rhel8stig_ipv6_required %} -# RHEL-08-040280 -net.ipv6.conf.all.accept_redirects = 0 -{% endif %} - -{% if rhel_08_040281 %} -# RHEL-08-040281 -kernel.unprivileged_bpf_disabled = 1 -{% endif %} - -{% if rhel_08_040282 %} -# RHEL-08-040282 -kernel.yama.ptrace_scope = 1 -{% endif %} - -{% if rhel_08_040283 %} -# RHEL-08-040283 -kernel.kptr_restrict = 1 -{% endif %} - -{% if rhel_08_040284 %} -# RHEL-08-040284 -user.max_user_namespaces = 0 -{% endif %} - -{% if rhel_08_040285 %} -# RHEL-08-040285 -net.ipv4.conf.all.rp_filter = 1 -{% endif %} - -{% if rhel_08_040286 %} -# RHEL-08-040286 -net.core.bpf_jit_harden = 2 -{% endif %} diff --git a/vars/main.yml b/vars/main.yml index f01c9ff9..92b42958 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -10,7 +10,7 @@ rhel8stig_service_started: "{{ rhel8stig_system_is_chroot | ternary(omit, 'start # !!!!!!!!possibly delete # rhel8stig_systemd_daemon_reload: "{{ not rhel8stig_system_is_chroot }}" -rhel8stig_sysctl_reload: "{{ not rhel8stig_system_is_container }}" +rhel8stig_sysctl_reload: "{{ not system_is_container }}" # these variables are for enabling tasks to run that will be further controled # by check_mode to prevent the remediation task from making changes as From 86377fbb1f8928c476bf9988ce46dad94ed971d3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 24 Oct 2023 11:00:49 +0100 Subject: [PATCH 12/25] updated for copy and format outputs Signed-off-by: Mark Bolwell --- tasks/LE_audit_setup.yml | 4 +-- tasks/post_remediation_audit.yml | 44 +++++++++++++++++++------------ tasks/pre_remediation_audit.yml | 45 ++++++++++++++++---------------- 3 files changed, 52 insertions(+), 41 deletions(-) diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 4ef8469f..c8222b8e 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -7,7 +7,7 @@ owner: root group: root checksum: "{{ audit_bin_version.checksum }}" - mode: 0555 + mode: '0555' when: - get_audit_binary_method == 'download' @@ -15,8 +15,8 @@ ansible.builtin.copy: src: "{{ audit_bin_copy_location }}" dest: "{{ audit_bin }}" - mode: 0555 owner: root group: root + mode: '0555' when: - get_audit_binary_method == 'copy' diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index f0a7664e..fa9614b6 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,24 +1,16 @@ --- -- name: "Post Audit | Run post_remediation {{ benchmark }} audit" - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" - changed_when: true - environment: - AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" - AUDIT_FILE: "goss.yml" - -- name: Post Audit | ensure audit files readable by users - ansible.builtin.file: - path: "{{ item }}" - mode: 0644 - state: file - loop: - - "{{ post_audit_outfile }}" - - "{{ pre_audit_outfile }}" - - name: Post Audit | Capture audit data if json format block: + + - name: "Post Audit | Run post_remediation {{ benchmark }} audit" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: "goss.yml" + - name: "capture data {{ post_audit_outfile }}" ansible.builtin.shell: "cat {{ post_audit_outfile }}" register: post_audit @@ -34,6 +26,15 @@ - name: Post Audit | Capture audit data if documentation format block: + + - name: "Post Audit | Run post_remediation {{ benchmark }} audit" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }} -f documentation" + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: "goss.yml" + - name: "Post Audit | capture data {{ post_audit_outfile }}" ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}" register: post_audit @@ -44,3 +45,12 @@ post_audit_summary: "{{ post_audit.stdout_lines }}" when: - audit_format == "documentation" + +- name: Post Audit | ensure audit files readable by users + ansible.builtin.file: + path: "{{ item }}" + mode: '0644' + state: file + loop: + - "{{ post_audit_outfile }}" + - "{{ pre_audit_outfile }}" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index fc9ed887..290170d6 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,7 +1,8 @@ --- - name: Audit Binary Setup | Setup the LE audit - ansible.builtin.include_tasks: LE_audit_setup.yml + ansible.builtin.include_tasks: + file: LE_audit_setup.yml when: - setup_audit tags: @@ -15,19 +16,11 @@ - name: Pre Audit Setup | If using git for content set up block: - - name: Pre Audit Setup | Install git (rh8 python3) + - name: Pre Audit Setup | Install git ansible.builtin.package: name: git state: present - when: ansible_distribution_major_version == '8' - - - name: Pre Audit Setup | Install git (rh7 python2) - ansible.builtin.package: - name: git - state: present - vars: - ansible_python_interpreter: "{{ python2_bin }}" - when: ansible_distribution_major_version == '7' + when: "'git' not in ansible_facts.packages" - name: Pre Audit Setup | retrieve audit content files from git ansible.builtin.git: @@ -68,9 +61,8 @@ - name: Pre Audit Setup | If audit ensure goss is available ansible.builtin.assert: + that: goss_available.stat.exists msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - when: - - not goss_available.stat.exists when: - run_audit @@ -78,22 +70,22 @@ ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" - mode: 0600 + mode: '0600' when: - run_audit tags: - goss_template -- name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" - changed_when: true - environment: - AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" - AUDIT_FILE: "goss.yml" - - name: Pre Audit | Capture audit data if json format block: + - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: "goss.yml" + - name: "capture data {{ pre_audit_outfile }}" ansible.builtin.shell: "cat {{ pre_audit_outfile }}" register: pre_audit @@ -109,6 +101,15 @@ - name: Pre Audit | Capture audit data if documentation format block: + + - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }} -f documentation" + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: "goss.yml" + - name: "Pre Audit | capture data {{ pre_audit_outfile }} | documentation format" ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" register: pre_audit From e32cedbecbcdad1ec95490774b730cbda9aa1d3f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 24 Oct 2023 11:03:33 +0100 Subject: [PATCH 13/25] updated Signed-off-by: Mark Bolwell --- Changelog.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Changelog.md b/Changelog.md index 249241bd..9dd2c8df 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,12 @@ # Changes to RHEL8STIG +## 3.0.3 - Stig V1R11 - 26th July 2023 +q +- updates to collections since galaxy updated +- updates to audit + +- #229 thanks to @JacobBuskirk + ## 3.0.2 - Stig V1R11 - 26th July 2023 - workflow and pipeline updates From 4af031e14685768051d847bf57cf2d1442e60680 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 24 Oct 2023 11:04:37 +0100 Subject: [PATCH 14/25] removed quality badge since galaxy removed Signed-off-by: Mark Bolwell --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 7436dc28..8e66d0fa 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,6 @@ This role is based on RHEL 8 DISA STIG: [Version 1, Rel 11 released on July 26, ![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social) [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown) -![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/56380?label=Quality&&logo=ansible) ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) From 15f8d9d9af4fa91a4b94d249117ec775b372bc9b Mon Sep 17 00:00:00 2001 From: William Panlener Date: Mon, 23 Oct 2023 21:06:30 -0500 Subject: [PATCH 15/25] Revert "fixed gnutls as per issue 196 thansk to @jmalpede" This reverts commit 63c4c8406e7f6b49eeb94d787f258917e8716b0b. Signed-off-by: William Panlener --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 4efc7f89..236c3fe0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -894,7 +894,7 @@ rhel8stig_ssh_server_crypto_settings: "-oCiphers=aes256-ctr,aes192-ctr,aes128-ct # RHEL-08-010295 # This will be teh GnuTLS ecryption packages. The task sets the +VERS-ALL: setting, the only items needed are the DoD approved encryptions # to conform to STIG standards this variable must contain +VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0 -rhel8stig_gnutls_encryption: "-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0" +rhel8stig_gnutls_encryption: "+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0" # RHEL-08-020070 # This is the value for the tmux lock after setting. To conform to STIG standards value needs to be set to 900 or less From 0eb99cd0e98f5d195c2d099b8c2d9b42aaf36ddb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 31 Oct 2023 15:59:56 +0000 Subject: [PATCH 16/25] updated the workflow version and galaxy setup Signed-off-by: Mark Bolwell --- .../workflows/devel_pipeline_validation.yml | 18 +++++++++--------- .github/workflows/main_pipeline_validation.yml | 18 +++++++++--------- .github/workflows/update_galaxy.yml | 14 ++++++-------- 3 files changed, 24 insertions(+), 26 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index dba39dc0..9fbe7aa8 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -29,7 +29,7 @@ Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. - # This workflow contains a single job which tests the playbook + # This workflow contains a single job that tests the playbook playbook-test: # The type of runner that the job will run on runs-on: ubuntu-latest @@ -44,13 +44,13 @@ steps: - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} # Pull in terraform code for linux servers - - name: Clone github IaC plan - uses: actions/checkout@v3 + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 with: repository: ansible-lockdown/github_linux_IaC path: .github/workflows/github_linux_IaC @@ -74,7 +74,7 @@ pwd ls env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -82,7 +82,7 @@ id: init run: terraform init env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -90,7 +90,7 @@ id: validate run: terraform validate env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -111,9 +111,9 @@ # Aws deployments taking a while to come up insert sleep or playbook fails - name: Sleep for 60 seconds - run: sleep 60s + run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the ansible playbook + # Run the Ansibleplaybook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 0b149fb3..67ee9d90 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -18,7 +18,7 @@ # that can run sequentially or in parallel jobs: - # This workflow contains a single job which tests the playbook + # This workflow contains a single job that tests the playbook playbook-test: # The type of runner that the job will run on runs-on: ubuntu-latest @@ -33,13 +33,13 @@ steps: - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} # Pull in terraform code for linux servers - - name: Clone github IaC plan - uses: actions/checkout@v3 + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 with: repository: ansible-lockdown/github_linux_IaC path: .github/workflows/github_linux_IaC @@ -63,7 +63,7 @@ pwd ls env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -71,7 +71,7 @@ id: init run: terraform init env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -79,7 +79,7 @@ id: validate run: terraform validate env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -100,9 +100,9 @@ # Aws deployments taking a while to come up insert sleep or playbook fails - name: Sleep for 60 seconds - run: sleep 60s + run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the ansible playbook + # Run the Ansibleplaybook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml index 951a53cb..f9352800 100644 --- a/.github/workflows/update_galaxy.yml +++ b/.github/workflows/update_galaxy.yml @@ -1,11 +1,7 @@ --- -# This is a basic workflow to help you get started with Actions - name: update galaxy -# Controls when the action will run. -# Triggers the workflow on merge request events to the main branch on: push: branches: @@ -14,8 +10,10 @@ jobs: update_role: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: robertdebock/galaxy-action@master + - name: Checkout repo + uses: actions/checkout@v4 + + - name: Action Ansible Galaxy Release ${{ github.ref_name }} + uses: ansible-actions/ansible-galaxy-action@main with: - galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} - git_branch: main + galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} From b1a41aa72d8c8d765b12ddf9aafa78fe9319d072 Mon Sep 17 00:00:00 2001 From: William Golembieski Date: Thu, 9 Nov 2023 15:56:54 -0500 Subject: [PATCH 17/25] Update main.yml Removing stale var rhel8stig_sshd_compression Signed-off-by: William Golembieski --- defaults/main.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 236c3fe0..e3c36861 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -845,10 +845,6 @@ rhel8stig_path_to_sshkey: "/root/.ssh/" # To conform to STIG standards these directories need to be 755 or less permissive rhel8stig_lib_dir_perms: 0755 -# RHEL-08-010510 -# rhel8stig_sshd_compression to meet STIG requirements needs to be set to "no" or "delayed" -rhel8stig_sshd_compression: "no" - # now in prelim # rhel8stig_interactive_uid_start: '1000' From 52fb8390e9b8f06bdb1316f73398817afd8bb102 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 4 Dec 2023 17:36:39 +0000 Subject: [PATCH 18/25] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/pre-commit/pre-commit-hooks: v4.4.0 → v4.5.0](https://github.com/pre-commit/pre-commit-hooks/compare/v4.4.0...v4.5.0) - [github.com/gitleaks/gitleaks: v8.18.0 → v8.18.1](https://github.com/gitleaks/gitleaks/compare/v8.18.0...v8.18.1) - [github.com/ansible-community/ansible-lint: v6.20.2 → v6.22.1](https://github.com/ansible-community/ansible-lint/compare/v6.20.2...v6.22.1) - [github.com/adrienverge/yamllint.git: v1.32.0 → v1.33.0](https://github.com/adrienverge/yamllint.git/compare/v1.32.0...v1.33.0) --- .pre-commit-config.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 84807cde..a79d4cb8 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,7 +7,7 @@ ci: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.4.0 + rev: v4.5.0 hooks: # Safety - id: detect-aws-credentials @@ -37,13 +37,13 @@ repos: exclude: .config/.gitleaks-report.json - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.0 + rev: v8.18.1 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v6.20.2 + rev: v6.22.1 hooks: - id: ansible-lint name: Ansible-lint @@ -62,6 +62,6 @@ repos: - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git - rev: v1.32.0 # or higher tag + rev: v1.33.0 # or higher tag hooks: - id: yamllint From 0c2e3fc814c0a6fce0e040cc928b84bdc069cb03 Mon Sep 17 00:00:00 2001 From: whitehat237 Date: Mon, 29 Jan 2024 17:32:32 -0600 Subject: [PATCH 19/25] Adds when criteria for rhel_08_040321 in tasks/fix-cat2.yml, to skip the task when rhel8stig_gui is set to true, resolves issue #243 Signed-off-by: whitehat237 --- tasks/fix-cat2.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 41eada91..5f185677 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -7401,6 +7401,7 @@ state: link when: - rhel_08_040321 + - not rhel8stig_gui tags: - RHEL-08-040321 - CAT2 From d8775a0ed6512020d53999ca1faf50cc8c83a9f3 Mon Sep 17 00:00:00 2001 From: William Golembieski Date: Fri, 2 Feb 2024 15:42:48 -0500 Subject: [PATCH 20/25] Update prelim.yml Update prelim.yml Addressing Oracle Linux distribution identification issue #239 Signed-off-by: William Golembieski --- tasks/prelim.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 2a723ee6..4a04d26d 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -386,7 +386,7 @@ rhel8stig_legacy_boot: false when: - rhel8_efi_boot.stat.exists - - ansible_distribution == 'Oracle Linux' + - ansible_distribution == 'OracleLinux' - name: "PRELIM | set if not UEFI boot" ansible.builtin.set_fact: From a94b0ecf44f8a75b937eb1c9dc12933b56e827fa Mon Sep 17 00:00:00 2001 From: William Golembieski Date: Fri, 2 Feb 2024 15:43:28 -0500 Subject: [PATCH 21/25] Update fix-cat2.yml Addressing issue #241 Signed-off-by: William Golembieski --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 41eada91..2e5cdc72 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -3260,7 +3260,7 @@ - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions." block: - name: "MEDIUM | RHEL-08-020030 | AUDIT | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Check for lock-enabled" - ansible.builtin.shell: "grep lock-enabled /etc/dconf/db/* -r | cut -f1 -d:" + ansible.builtin.shell: "grep lock-enabled /etc/dconf/db/* -rI | sort -u | tail -n 1 | cut -f1 -d:" changed_when: false failed_when: false register: rhel_08_020030_lock_enabled From bfe67d4291e6230929d786b011773a0a99c22b7a Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Tue, 20 Feb 2024 01:17:54 +0000 Subject: [PATCH 22/25] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.18.1 → v8.18.2](https://github.com/gitleaks/gitleaks/compare/v8.18.1...v8.18.2) - [github.com/ansible-community/ansible-lint: v6.22.1 → v24.2.0](https://github.com/ansible-community/ansible-lint/compare/v6.22.1...v24.2.0) - [github.com/adrienverge/yamllint.git: v1.33.0 → v1.35.1](https://github.com/adrienverge/yamllint.git/compare/v1.33.0...v1.35.1) --- .pre-commit-config.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a79d4cb8..873f2757 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -37,13 +37,13 @@ repos: exclude: .config/.gitleaks-report.json - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.1 + rev: v8.18.2 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v6.22.1 + rev: v24.2.0 hooks: - id: ansible-lint name: Ansible-lint @@ -62,6 +62,6 @@ repos: - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git - rev: v1.33.0 # or higher tag + rev: v1.35.1 # or higher tag hooks: - id: yamllint From d75fa81050e4da005f536f5fadd5a48ad277445b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Mar 2024 12:27:18 +0000 Subject: [PATCH 23/25] Update meta and readme due to galaxy_ng Signed-off-by: Mark Bolwell --- README.md | 6 ++++++ meta/main.yml | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 8e66d0fa..d13585e8 100644 --- a/README.md +++ b/README.md @@ -190,3 +190,9 @@ This repo originated from work done by [Sam Doran](https://github.com/samdoran/a ```sh pre-commit run ``` + +## Credits and Thanks + +Massive thanks to the fantastic community and all is members +Huge thanks and Credit to the original authors and maintainers. +Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell diff --git a/meta/main.yml b/meta/main.yml index f260b661..a9a9978b 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,6 +1,6 @@ --- galaxy_info: - author: "Sam Doran, Josh Springer, Daniel Shepherd, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell" + author: "MindPoint Group" description: "Apply the DISA RHEL 8 STIG" company: "MindPoint Group" license: MIT From 4dd228cef424403da1540cc22dd35a9461a82fc6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Mar 2024 14:58:44 +0000 Subject: [PATCH 24/25] updated Readme credits Signed-off-by: Mark Bolwell --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index d13585e8..881aa383 100644 --- a/README.md +++ b/README.md @@ -193,6 +193,6 @@ pre-commit run ## Credits and Thanks -Massive thanks to the fantastic community and all is members -Huge thanks and Credit to the original authors and maintainers. +Massive thanks to the fantastic community and all is members. +This includes a huge thanks and credit to the original authors and maintainers. Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell From 0c581fc23d33eefff1c7fb65bda98d030ee253c4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Mar 2024 10:58:56 +0000 Subject: [PATCH 25/25] updated Signed-off-by: Mark Bolwell --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 881aa383..8d27ce4a 100644 --- a/README.md +++ b/README.md @@ -193,6 +193,6 @@ pre-commit run ## Credits and Thanks -Massive thanks to the fantastic community and all is members. +Massive thanks to the fantastic community and all its members. This includes a huge thanks and credit to the original authors and maintainers. Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell